Are there any best practices for storing app specific PINs (e.g. 6 digit PIN that isn't part of the device lock screen) on mobile devices (Android/iOS)? I know several banking and authenticator apps do this. Seems like bcrypt with a reasonable work factor (OWASP recommends 10) is still quite easy to crack given a 6 digit PIN. Are there better ways to store it? For example, are there ways to store it in TEE/StrongBox/Secure Enclave (other than using the device lockscreen) such that any potential attacker will not have access to the PIN, even with runtime instrumentation tools such as Frida?
Asked
Active
Viewed 43 times
1
-
Does [this](https://security.stackexchange.com/q/262425/47524) answer your question? – mentallurg Jun 06 '22 at 11:24
-
1Not really, but it does give me some ideas. I was considering storing it in TEE/Strongbox/Secure Enclave, but from what I've gathered (and the provided link seems to confirm), keys cannot be imported into Secure Enclave, but must be generated within and never exported. In my case, I'd like to protect the user PIN, and preferably via some cryptographic primitive that is performed within the TEE/Secure Enclave (so that it cannot be easily hooked within the app), but I'm not sure if this is possible with Android/iOS. – user1118764 Jun 07 '22 at 04:36